Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91983 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] I think my machine is infected


  • This topic is locked This topic is locked
2 replies to this topic

#1 mehhelp99

mehhelp99

    New Member

  • New Member
  • Pip
  • 1 posts

Posted 02 November 2009 - 12:09 AM

I started experiencing these things yesterday:

1) Random Firefox pop-ups: Firefox launches by itself and opens up 4 windows.

2) Cannot boot into safemode:
At the safemode option screen, regardless of which safemode boot option (with network, with command prompt, etc.) I choose, the PC reboots and returns me to the safemode option screen. I can only login in “normal mode.”

The random pop-ups and the inability to boot into safemode led me to suspect that my machine may have been infected with something that edited my registry, even though Norton AV v.11, Spybot, and Trend Micro Housecall detect nothing. I've also tried to use Windows Restore to return to a restore point a couple of days before I started experiencing these issues and that did not help.

Here is my DDS log:
DDS (Ver_09-06-26.01) - NTFSx86  
Run by Window User at 23:16:37.53 on Sun 11/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3070.2459 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)   {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled*   {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Download\drivers2\evgamobo\raid\XP 2K RAID floppy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Download\fix\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [AlcoholAutomount] "c:\alcohol soft\alcohol 120\axcmd.exe" /automount
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RivaTunerStartupDaemon] "c:\rivatuner v2.22\RivaTuner.exe" /S
mRun: [RemoteControl] c:\cyberlink\powerdvd\PDVDServ.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Nero DriveSpeed] c:\progra~1\nero\nero7~1\neroto~1\DRIVES~1.EXE
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [LanguageShortcut] c:\cyberlink\powerdvd\language\Language.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Alcmtr] ALCMTR.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EVGAPrecision] "c:\evga precision\EVGAPrecision.exe" /s
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"  -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
StartupFolder: c:\docume~1\window~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234439768546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\115u7vry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota",	  5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords",   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads",   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies",	 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",	   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions",	true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",			   false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",			   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",				 true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",				   true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",				true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",			 false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",			false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs",	false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\cyberlink\powerdvd\000.fcl [2009-2-22 13560]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-26 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-26 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-6-26 2440120]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091101.022\NAVENG.SYS [2009-11-1 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091101.022\NAVEX15.SYS [2009-11-1 1323568]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-12 1684736]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-6-26 23888]
S3 RMWPService;RMWPService;c:\reference manager 12\webpublisher\thirdparty\apache2\bin\RMWP_Apache_Admin.exe [2004-1-28 20537]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

=============== Created Last 30 ================

2009-11-01 21:57	<DIR>	--d-----	C:\Trend Micro
2009-11-01 21:13	93,360	a-------	c:\windows\system32\drivers\SBREDrv.sys
2009-11-01 20:44	<DIR>	--d-----	C:\Spybot - Search & Destroy
2009-11-01 20:44	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-11-01 18:54	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-11-01 18:54	<DIR>	--d-----	C:\SUPERAntiSpyware
2009-11-01 18:54	<DIR>	--d-----	c:\docume~1\window~1\applic~1\SUPERAntiSpyware.com
2009-11-01 18:41	<DIR>	--d-----	C:\RootkitNO
2009-11-01 17:19	2	a--shrot	c:\windows\winstart.bat
2009-11-01 17:19	<DIR>	--d-----	C:\UnHackMe
2009-11-01 16:37	<DIR>	--d-----	c:\windows\system32\wbem\Repository
2009-11-01 16:37	<DIR>	--d-----	C:\DAEMON Tools Lite
2009-11-01 16:37	<DIR>	--d-----	C:\Any Video Converter Professional
2009-11-01 16:28	4,928	a-------	c:\windows\system32\PerfStringBackup.TMP
2009-10-31 23:50	<DIR>	--d-----	c:\program files\WinDefender32
2009-10-31 23:50	24,791	a-------	c:\docume~1\window~1\applic~1\addons.dat
2009-10-31 00:06	<DIR>	--d-----	c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-10-31 00:06	<DIR>	--d-----	C:\Codemasters
2009-10-21 02:04	315,392	a-------	c:\windows\system32\TubeFinder.exe
2009-10-21 02:04	364,544	a-------	c:\windows\system32\PropertyGrid.ocx
2009-10-21 02:04	208,500	a-------	c:\windows\system32\ReyXpBasics.tlb
2009-10-21 02:04	141,312	a-------	c:\windows\system32\MSCMCFR.DLL
2009-10-21 02:04	119,568	a-------	c:\windows\system32\VB6FR.DLL
2009-10-21 02:04	101,888	a-------	c:\windows\system32\VB6STKIT.DLL
2009-10-21 02:04	84,512	a-------	c:\windows\system32\PICCLP32.OCX
2009-10-21 02:04	32,768	a-------	c:\windows\system32\CMDLGFR.DLL
2009-10-21 02:04	24,576	a-------	c:\windows\system32\ControlSubX.ocx
2009-10-21 02:04	9,728	a-------	c:\windows\system32\PCCLPFR.DLL
2009-10-21 02:04	<DIR>	--d-----	C:\Free FLV Converter
2009-10-21 02:04	<DIR>	--d-----	c:\docume~1\window~1\applic~1\FreeFLVConverter
2009-10-05 01:18	<DIR>	--d-----	c:\program files\common files\Macrovision Shared
2009-10-05 01:18	45,392	a----r--	c:\windows\system32\AdobePDF.dll
2009-10-05 01:18	22,872	a----r--	c:\windows\system32\AdobePDFUI.dll

==================== Find3M  ====================

2009-11-01 16:52	691,696	a-------	c:\windows\system32\drivers\sptd.sys
2009-10-08 14:57	611,328	a-------	c:\windows\system32\uiautomationcore.dll
2009-10-08 14:57	220,160	a-------	c:\windows\system32\oleacc.dll
2009-10-08 14:56	20,480	a-------	c:\windows\system32\oleaccrc.dll
2009-09-11 09:18	136,192	a-------	c:\windows\system32\msv1_0.dll
2009-09-06 03:11	281,760	a-------	c:\windows\system32\drivers\atksgt.sys
2009-09-06 03:11	25,888	a-------	c:\windows\system32\drivers\lirsgt.sys
2009-09-04 16:03	58,880	a-------	c:\windows\system32\msasn1.dll
2009-08-29 03:08	916,480	a-------	c:\windows\system32\wininet.dll
2009-08-26 03:00	247,326	--------	c:\windows\system32\strmdll.dll
2009-08-05 04:01	204,800	--------	c:\windows\system32\mswebdvd.dll
2009-08-04 18:52	1,193,832	a-------	c:\windows\system32\FM20.DLL
2009-08-04 10:13	2,145,280	--------	c:\windows\system32\ntoskrnl.exe
2009-08-04 09:20	2,023,936	--------	c:\windows\system32\ntkrnlpa.exe
2006-03-08 04:09	8,149	----h---	c:\docume~1\window~1\applic~1\logs.dat

============= FINISH: 23:17:46.59 ===============

I am trying to generate a log from RootRepeal but it is taking several hours to scan that I am not sure if it is working or not. the program seems to take over all my system resource and there is not indication of any progress other than "scanning...", and sometimes it looks like the program might be hanging? Is this normal? I have no other programs running and even turned off my AV while it's scanning....

I just ran MBAM and it detected (and cleaned) 5 instances of the "bifrose" infection. I am still experiencing the issues I outlined in the beginning of the post, so the problem is still not fixed. Below is my MBAM log.

Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3

11/2/2009 2:08:23 AM
mbam-log-2009-11-02 (02-08-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 318525
Time elapsed: 39 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{e86a2093-29b2-31bf-772e-6b13ec6986ba} (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SlysBitch (Bifrose.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinDefend32 (Bifrose.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Window User\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.

Ok, so it seems like maybe RootRepeal just takes a long time to scan. I am going to let it scan overnight and post the log once it's done. Please let me know if there is anything else I can include.

[edit]
Ok, I am experiencing a problem with RootRepeal. I can scan using any of the tabs and generate a report except for "hidden services" and "shadow SSDT." If I scan these tabs, RootRepeal hangs and my system slows to a crawl even after I close RootRepeal. I am not sure if that is related to the infection on my machine. At any rate, below are the RR logs I was able to generate using the tabs that didn't cause RR to hang.

RootRepeal drivers scan
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/11/02 07:03
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: 000.fcl
Image Path: C:\CyberLink\PowerDVD\000.fcl
Address: 0xBA64C000	Size: 6656	File Visible: -	Signed: -
Status: -

Name: 1394BUS.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS
Address: 0xBA0B8000	Size: 57344	File Visible: -	Signed: -
Status: -

Name: a38fasy1.SYS
Image Path: C:\WINDOWS\System32\Drivers\a38fasy1.SYS
Address: 0xB9489000	Size: 225280	File Visible: -	Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xB9E6E000	Size: 187776	File Visible: -	Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000	Size: 2150400	File Visible: -	Signed: -
Status: -

Name: ad4p5khu.SYS
Image Path: C:\WINDOWS\System32\Drivers\ad4p5khu.SYS
Address: 0xB9450000	Size: 233472	File Visible: -	Signed: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0xB685A000	Size: 138496	File Visible: -	Signed: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys
Address: 0xBA268000	Size: 60800	File Visible: -	Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xB9E26000	Size: 98304	File Visible: -	Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0x00000000	Size: 0	File Visible: -	Signed: -
Status: -

Name: atksgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys
Address: 0xB5B1E000	Size: 274432	File Visible: -	Signed: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000	Size: 286720	File Visible: -	Signed: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys
Address: 0xBA725000	Size: 3072	File Visible: -	Signed: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBA646000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBA4B8000	Size: 12288	File Visible: -	Signed: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xB9419000	Size: 63744	File Visible: -	Signed: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys
Address: 0xBA318000	Size: 62976	File Visible: -	Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS
Address: 0xBA108000	Size: 53248	File Visible: -	Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA0F8000	Size: 36352	File Visible: -	Signed: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xBA288000	Size: 61440	File Visible: -	Signed: -
Status: -

Name: dump_diskdump.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys
Address: 0xBA578000	Size: 16384	File Visible: No	Signed: -
Status: -

Name: dump_nvgts.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_nvgts.sys
Address: 0xB65BF000	Size: 151552	File Visible: No	Signed: -
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xB92CC000	Size: 12288	File Visible: -	Signed: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF000000	Size: 73728	File Visible: -	Signed: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBA712000	Size: 4096	File Visible: -	Signed: -
Status: -

Name: eeCtrl.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
Address: 0xB66F7000	Size: 385024	File Visible: -	Signed: -
Status: -

Name: EraserUtilRebootDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
Address: 0xB66DA000	Size: 118784	File Visible: -	Signed: -
Status: -

Name: fdc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys
Address: 0xBA3D0000	Size: 27392	File Visible: -	Signed: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0xB6BF9000	Size: 44544	File Visible: -	Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xB9DC7000	Size: 129792	File Visible: -	Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBA618000	Size: 7936	File Visible: -	Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xB9E3E000	Size: 125056	File Visible: -	Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xBA671000	Size: 1664	File Visible: No	Signed: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000	Size: 134400	File Visible: -	Signed: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\System32\DRIVERS\HDAudBus.sys
Address: 0xB95D2000	Size: 151552	File Visible: -	Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS
Address: 0xBA248000	Size: 36864	File Visible: -	Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\System32\Drivers\HIDPARSE.SYS
Address: 0xBA430000	Size: 28672	File Visible: -	Signed: -
Status: -

Name: hidusb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys
Address: 0xB95BE000	Size: 10368	File Visible: -	Signed: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0xB55DB000	Size: 264832	File Visible: -	Signed: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys
Address: 0xBA2F8000	Size: 52480	File Visible: -	Signed: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys
Address: 0xBA308000	Size: 42112	File Visible: -	Signed: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys
Address: 0xBA2D8000	Size: 36352	File Visible: -	Signed: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys
Address: 0xB68D2000	Size: 152832	File Visible: -	Signed: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys
Address: 0xB6951000	Size: 75264	File Visible: -	Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA0C8000	Size: 37248	File Visible: -	Signed: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys
Address: 0xBA400000	Size: 24576	File Visible: -	Signed: -
Status: -

Name: kbdhid.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xB53EF000	Size: 14592	File Visible: -	Signed: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBA5A8000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0xB4CA1000	Size: 172416	File Visible: -	Signed: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys
Address: 0xB95F7000	Size: 143360	File Visible: -	Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xB9DB0000	Size: 92928	File Visible: -	Signed: -
Status: -

Name: LHidFlt2.Sys
Image Path: C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys
Address: 0xBA450000	Size: 24448	File Visible: -	Signed: -
Status: -

Name: LHidUsb.Sys
Image Path: C:\WINDOWS\System32\Drivers\LHidUsb.Sys
Address: 0xBA218000	Size: 33536	File Visible: -	Signed: -
Status: -

Name: lirsgt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys
Address: 0xBA3C0000	Size: 18560	File Visible: -	Signed: -
Status: -

Name: LMouFlt2.Sys
Image Path: C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys
Address: 0xB6B99000	Size: 63424	File Visible: -	Signed: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBA64A000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys
Address: 0xBA3D8000	Size: 23040	File Visible: -	Signed: -
Status: -

Name: mouhid.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys
Address: 0xB95AA000	Size: 12160	File Visible: -	Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA0D8000	Size: 42368	File Visible: -	Signed: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys
Address: 0xB5B61000	Size: 180608	File Visible: -	Signed: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
Address: 0xB6755000	Size: 455296	File Visible: -	Signed: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xBA3C8000	Size: 19072	File Visible: -	Signed: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys
Address: 0xBA1A8000	Size: 35072	File Visible: -	Signed: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys
Address: 0xB9CA8000	Size: 15488	File Visible: -	Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xB9CDC000	Size: 105344	File Visible: -	Signed: -
Status: -

Name: NAVENG.SYS
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091101.022\NAVENG.SYS
Address: 0xB69AC000	Size: 78208	File Visible: -	Signed: -
Status: -

Name: NAVEX15.SYS
Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091101.022\NAVEX15.SYS
Address: 0xB69E5000	Size: 1316864	File Visible: -	Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xB9CF6000	Size: 182656	File Visible: -	Signed: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys
Address: 0xBA59C000	Size: 10112	File Visible: -	Signed: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys
Address: 0xBA558000	Size: 14592	File Visible: -	Signed: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys
Address: 0xB9439000	Size: 91520	File Visible: -	Signed: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xBA1D8000	Size: 40576	File Visible: -	Signed: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys
Address: 0xB6C29000	Size: 34688	File Visible: -	Signed: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys
Address: 0xB687C000	Size: 162816	File Visible: -	Signed: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys
Address: 0xBA148000	Size: 61824	File Visible: -	Signed: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xBA3E8000	Size: 30848	File Visible: -	Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xB9D23000	Size: 574976	File Visible: -	Signed: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000	Size: 2150400	File Visible: -	Signed: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBA7D1000	Size: 2944	File Visible: -	Signed: -
Status: -

Name: nv4_disp.dll
Image Path: C:\WINDOWS\System32\nv4_disp.dll
Address: 0xBF012000	Size: 6189056	File Visible: -	Signed: -
Status: -

Name: nv4_mini.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
Address: 0xB9652000	Size: 6280416	File Visible: -	Signed: -
Status: -

Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0xB9DE7000	Size: 106496	File Visible: -	Signed: -
Status: -

Name: nvatabus.sys
Image Path: nvatabus.sys
Address: 0x00000000	Size: 0	File Visible: -	Signed: -
Status: -

Name: NVENETFD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\NVENETFD.sys
Address: 0xBA278000	Size: 54784	File Visible: -	Signed: -
Status: -

Name: nvgts.sys
Image Path: nvgts.sys
Address: 0xB9E01000	Size: 151552	File Visible: -	Signed: -
Status: -

Name: nvnetbus.sys
Image Path: C:\WINDOWS\System32\DRIVERS\nvnetbus.sys
Address: 0xBA168000	Size: 40960	File Visible: -	Signed: -
Status: -

Name: NVNRM.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\NVNRM.SYS
Address: 0xB94C0000	Size: 958464	File Visible: -	Signed: -
Status: -

Name: nvoclock.sys
Image Path: C:\WINDOWS\nvoclock.sys
Address: 0xBA3E0000	Size: 29696	File Visible: -	Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA0A8000	Size: 61696	File Visible: -	Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBA330000	Size: 19712	File Visible: -	Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xB9E5D000	Size: 68224	File Visible: -	Signed: -
Status: -

Name: PCI_PNP2406
Image Path: \Driver\PCI_PNP2406
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBA670000	Size: 3328	File Visible: -	Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS
Address: 0xBA328000	Size: 28672	File Visible: -	Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000	Size: 2150400	File Visible: -	Signed: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0xB6C6B000	Size: 147456	File Visible: -	Signed: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys
Address: 0xB9388000	Size: 69120	File Visible: -	Signed: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys
Address: 0xBA3A8000	Size: 17792	File Visible: -	Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBA118000	Size: 35712	File Visible: -	Signed: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys
Address: 0xBA584000	Size: 8832	File Visible: -	Signed: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
Address: 0xBA178000	Size: 51328	File Visible: -	Signed: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys
Address: 0xBA188000	Size: 41472	File Visible: -	Signed: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys
Address: 0xBA198000	Size: 48384	File Visible: -	Signed: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys
Address: 0xBA3B8000	Size: 16512	File Visible: -	Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000	Size: 2150400	File Visible: -	Signed: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys
Address: 0xB67C5000	Size: 175744	File Visible: -	Signed: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBA64E000	Size: 4224	File Visible: -	Signed: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys
Address: 0xBA158000	Size: 57600	File Visible: -	Signed: -
Status: -

Name: RivaTuner32.sys
Image Path: C:\RivaTuner v2.22\RivaTuner32.sys
Address: 0xB5730000	Size: 9088	File Visible: -	Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5A04000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: RtkHDAud.sys
Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys
Address: 0xB6C8F000	Size: 5210112	File Visible: -	Signed: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS
Address: 0xB9E9C000	Size: 98304	File Visible: -	Signed: -
Status: -

Name: serenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys
Address: 0xBA564000	Size: 15744	File Visible: -	Signed: -
Status: -

Name: serial.sys
Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys
Address: 0xBA2E8000	Size: 64512	File Visible: -	Signed: -
Status: -

Name: SPBBCDrv.sys
Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
Address: 0xB67F0000	Size: 434176	File Visible: -	Signed: -
Status: -

Name: spde.sys
Image Path: spde.sys
Address: 0xB9EB4000	Size: 995328	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: SRTSP.SYS
Image Path: C:\WINDOWS\System32\Drivers\SRTSP.SYS
Address: 0xB6B27000	Size: 303104	File Visible: -	Signed: -
Status: -

Name: SRTSPX.SYS
Image Path: C:\WINDOWS\System32\Drivers\SRTSPX.SYS
Address: 0xB93E9000	Size: 37120	File Visible: -	Signed: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys
Address: 0xB5AA4000	Size: 333952	File Visible: -	Signed: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys
Address: 0xBA5D6000	Size: 4352	File Visible: -	Signed: -
Status: -

Name: SYMEVENT.SYS
Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
Address: 0xB69C0000	Size: 151552	File Visible: -	Signed: -
Status: -

Name: SYMREDRV.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
Address: 0xBA378000	Size: 20992	File Visible: -	Signed: -
Status: -

Name: SYMTDI.SYS
Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS
Address: 0xB68A4000	Size: 184832	File Visible: -	Signed: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB9399000	Size: 60800	File Visible: -	Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys
Address: 0xB68F8000	Size: 361600	File Visible: -	Signed: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS
Address: 0xBA388000	Size: 20480	File Visible: -	Signed: -
Status: -

Name: teefer2.sys
Image Path: C:\WINDOWS\system32\DRIVERS\teefer2.sys
Address: 0xB9352000	Size: 221184	File Visible: -	Signed: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys
Address: 0xBA1B8000	Size: 40704	File Visible: -	Signed: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\System32\DRIVERS\update.sys
Address: 0xB92F4000	Size: 384768	File Visible: -	Signed: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS
Address: 0xBA5E0000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys
Address: 0xBA440000	Size: 30208	File Visible: -	Signed: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys
Address: 0xBA258000	Size: 59520	File Visible: -	Signed: -
Status: -

Name: usbohci.sys
Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys
Address: 0xBA410000	Size: 17152	File Visible: -	Signed: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS
Address: 0xB961A000	Size: 147456	File Visible: -	Signed: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xBA3B0000	Size: 20992	File Visible: -	Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB963E000	Size: 81920	File Visible: -	Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA0E8000	Size: 52352	File Visible: -	Signed: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys
Address: 0xBA1F8000	Size: 34560	File Visible: -	Signed: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xBA390000	Size: 20480	File Visible: -	Signed: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0xB5E0A000	Size: 83072	File Visible: -	Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000	Size: 1847296	File Visible: -	Signed: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000	Size: 1847296	File Visible: -	Signed: -
Status: -

Name: WmBEnum.sys
Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys
Address: 0xB9CA4000	Size: 12672	File Visible: -	Signed: -
Status: -

Name: WmFilter.sys
Image Path: C:\WINDOWS\system32\drivers\WmFilter.sys
Address: 0xBA470000	Size: 22528	File Visible: -	Signed: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS
Address: 0xBA5AA000	Size: 8192	File Visible: -	Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000	Size: 2150400	File Visible: -	Signed: -
Status: -

Name: WmVirHid.sys
Image Path: C:\WINDOWS\system32\drivers\WmVirHid.sys
Address: 0xBA65A000	Size: 8064	File Visible: -	Signed: -
Status: -

Name: WmXlCore.sys
Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys
Address: 0xBA1C8000	Size: 42496	File Visible: -	Signed: -
Status: -

Name: wpsdrvnt.sys
Image Path: C:\WINDOWS\system32\drivers\wpsdrvnt.sys
Address: 0xBA1E8000	Size: 57344	File Visible: -	Signed: -
Status: -

Name: WpsHelper.sys
Image Path: C:\WINDOWS\system32\drivers\WpsHelper.sys
Address: 0xB5BB6000	Size: 144256	File Visible: -	Signed: -
Status: -

RootRepeal Processes scan
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/11/02 07:03
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================

Processes
-------------------
Path: System
PID: 4	Status: -

Path: C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PID: 180	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 212	Status: -

Path: C:\WINDOWS\system32\spoolsv.exe
PID: 592	Status: -

Path: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PID: 704	Status: -

Path: C:\WINDOWS\system32\smss.exe
PID: 872	Status: -

Path: C:\WINDOWS\system32\csrss.exe
PID: 932	Status: -

Path: C:\WINDOWS\system32\winlogon.exe
PID: 956	Status: -

Path: C:\WINDOWS\system32\services.exe
PID: 1008	Status: -

Path: C:\WINDOWS\system32\lsass.exe
PID: 1020	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1100	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1200	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1260	Status: -

Path: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
PID: 1276	Status: -

Path: C:\Program Files\Java\jre6\bin\jqs.exe
PID: 1388	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1412	Status: -

Path: C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PID: 1452	Status: -

Path: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PID: 1544	Status: -

Path: C:\WINDOWS\system32\alg.exe
PID: 1648	Status: -

Path: C:\WINDOWS\explorer.exe
PID: 1748	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1844	Status: -

Path: C:\WINDOWS\system32\svchost.exe
PID: 1944	Status: -

Path: C:\WINDOWS\system32\nvsvc32.exe
PID: 1996	Status: -

Path: C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PID: 2024	Status: -

Path: C:\Program Files\Winamp\winampa.exe
PID: 2392	Status: -

Path: C:\WINDOWS\system32\wuauclt.exe
PID: 2560	Status: -

Path: C:\Download\fix\RootRepeal.exe
PID: 2568	Status: -

Path: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PID: 2600	Status: -

Path: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
PID: 2632	Status: -

Path: C:\WINDOWS\RTHDCPL.EXE
PID: 2644	Status: -

Path: C:\CyberLink\PowerDVD\PDVDServ.exe
PID: 2668	Status: -

Path: C:\PROGRA~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
PID: 2704	Status: -

Path: C:\WINDOWS\system32\ctfmon.exe
PID: 2820	Status: -

Path: C:\WINDOWS\system32\wbem\wmiprvse.exe
PID: 2864	Status: -

Path: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
PID: 3072	Status: -

Path: C:\Program Files\Logitech\Gaming Software\LWEMon.exe
PID: 3080	Status: -

Path: C:\Program Files\Mozilla Firefox\firefox.exe
PID: 3200	Status: -

Path: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PID: 3368	Status: -

Path: C:\Program Files\Java\jre6\bin\jusched.exe
PID: 3380	Status: -

Path: C:\WINDOWS\system32\rundll32.exe
PID: 3500	Status: -

Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PID: 3508	Status: -

Path: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
PID: 3848	Status: -

RootRepeal SSDT scan
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:		2009/11/02 07:03
Program Version:		Version 1.3.5.0
Windows Version:		Windows XP SP3
==================================================
SSDT
-------------------
#: 000	Function Name: NtAcceptConnectPort
Status: Not hooked

#: 001	Function Name: NtAccessCheck
Status: Not hooked

#: 002	Function Name: NtAccessCheckAndAuditAlarm
Status: Not hooked

#: 003	Function Name: NtAccessCheckByType
Status: Not hooked

#: 004	Function Name: NtAccessCheckByTypeAndAuditAlarm
Status: Not hooked

#: 005	Function Name: NtAccessCheckByTypeResultList
Status: Not hooked

#: 006	Function Name: NtAccessCheckByTypeResultListAndAuditAlarm
Status: Not hooked

#: 007	Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle
Status: Not hooked

#: 008	Function Name: NtAddAtom
Status: Not hooked

#: 009	Function Name: NtAddBootEntry
Status: Not hooked

#: 010	Function Name: NtAdjustGroupsToken
Status: Not hooked

#: 011	Function Name: NtAdjustPrivilegesToken
Status: Not hooked

#: 012	Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x88c9cab0

#: 013	Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8a2ffa70

#: 014	Function Name: NtAllocateLocallyUniqueId
Status: Not hooked

#: 015	Function Name: NtAllocateUserPhysicalPages
Status: Not hooked

#: 016	Function Name: NtAllocateUuids
Status: Not hooked

#: 017	Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x89508700

#: 018	Function Name: NtAreMappedFilesTheSame
Status: Not hooked

#: 019	Function Name: NtAssignProcessToJobObject
Status: Not hooked

#: 020	Function Name: NtCallbackReturn
Status: Not hooked

#: 021	Function Name: NtCancelDeviceWakeupRequest
Status: Not hooked

#: 022	Function Name: NtCancelIoFile
Status: Not hooked

#: 023	Function Name: NtCancelTimer
Status: Not hooked

#: 024	Function Name: NtClearEvent
Status: Not hooked

#: 025	Function Name: NtClose
Status: Not hooked

#: 026	Function Name: NtCloseObjectAuditAlarm
Status: Not hooked

#: 027	Function Name: NtCompactKeys
Status: Not hooked

#: 028	Function Name: NtCompareTokens
Status: Not hooked

#: 029	Function Name: NtCompleteConnectPort
Status: Not hooked

#: 030	Function Name: NtCompressKey
Status: Not hooked

#: 031	Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8959f6f0

#: 032	Function Name: NtContinue
Status: Not hooked

#: 033	Function Name: NtCreateDebugObject
Status: Not hooked

#: 034	Function Name: NtCreateDirectoryObject
Status: Not hooked

#: 035	Function Name: NtCreateEvent
Status: Not hooked

#: 036	Function Name: NtCreateEventPair
Status: Not hooked

#: 037	Function Name: NtCreateFile
Status: Not hooked

#: 038	Function Name: NtCreateIoCompletion
Status: Not hooked

#: 039	Function Name: NtCreateJobObject
Status: Not hooked

#: 040	Function Name: NtCreateJobSet
Status: Not hooked

#: 041	Function Name: NtCreateKey
Status: Hooked by "spde.sys" at address 0xb9eb50e0

#: 042	Function Name: NtCreateMailslotFile
Status: Not hooked

#: 043	Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x894e2700

#: 044	Function Name: NtCreateNamedPipeFile
Status: Not hooked

#: 045	Function Name: NtCreatePagingFile
Status: Not hooked

#: 046	Function Name: NtCreatePort
Status: Not hooked

#: 047	Function Name: NtCreateProcess
Status: Not hooked

#: 048	Function Name: NtCreateProcessEx
Status: Not hooked

#: 049	Function Name: NtCreateProfile
Status: Not hooked

#: 050	Function Name: NtCreateSection
Status: Not hooked

#: 051	Function Name: NtCreateSemaphore
Status: Not hooked

#: 052	Function Name: NtCreateSymbolicLinkObject
Status: Not hooked

#: 053	Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x895846f0

#: 054	Function Name: NtCreateTimer
Status: Not hooked

#: 055	Function Name: NtCreateToken
Status: Not hooked

#: 056	Function Name: NtCreateWaitablePort
Status: Not hooked

#: 057	Function Name: NtDebugActiveProcess
Status: Not hooked

#: 058	Function Name: NtDebugContinue
Status: Not hooked

#: 059	Function Name: NtDelayExecution
Status: Not hooked

#: 060	Function Name: NtDeleteAtom
Status: Not hooked

#: 061	Function Name: NtDeleteBootEntry
Status: Not hooked

#: 062	Function Name: NtDeleteFile
Status: Not hooked

#: 063	Function Name: NtDeleteKey
Status: Not hooked

#: 064	Function Name: NtDeleteObjectAuditAlarm
Status: Not hooked

#: 065	Function Name: NtDeleteValueKey
Status: Not hooked

#: 066	Function Name: NtDeviceIoControlFile
Status: Not hooked

#: 067	Function Name: NtDisplayString
Status: Not hooked

#: 068	Function Name: NtDuplicateObject
Status: Not hooked

#: 069	Function Name: NtDuplicateToken
Status: Not hooked

#: 070	Function Name: NtEnumerateBootEntries
Status: Not hooked

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spde.sys" at address 0xb9ecdda4

#: 072	Function Name: NtEnumerateSystemEnvironmentValuesEx
Status: Not hooked

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spde.sys" at address 0xb9ece132

#: 074	Function Name: NtExtendSection
Status: Not hooked

#: 075	Function Name: NtFilterToken
Status: Not hooked

#: 076	Function Name: NtFindAtom
Status: Not hooked

#: 077	Function Name: NtFlushBuffersFile
Status: Not hooked

#: 078	Function Name: NtFlushInstructionCache
Status: Not hooked

#: 079	Function Name: NtFlushKey
Status: Not hooked

#: 080	Function Name: NtFlushVirtualMemory
Status: Not hooked

#: 081	Function Name: NtFlushWriteBuffer
Status: Not hooked

#: 082	Function Name: NtFreeUserPhysicalPages
Status: Not hooked

#: 083	Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x89502700

#: 084	Function Name: NtFsControlFile
Status: Not hooked

#: 085	Function Name: NtGetContextThread
Status: Not hooked

#: 086	Function Name: NtGetDevicePowerState
Status: Not hooked

#: 087	Function Name: NtGetPlugPlayEvent
Status: Not hooked

#: 088	Function Name: NtGetWriteWatch
Status: Not hooked

#: 089	Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x88bf12f0

#: 090	Function Name: NtImpersonateClientOfPort
Status: Not hooked

#: 091	Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x88e9d6b8

#: 092	Function Name: NtInitializeRegistry
Status: Not hooked

#: 093	Function Name: NtInitiatePowerAction
Status: Not hooked

#: 094	Function Name: NtIsProcessInJob
Status: Not hooked

#: 095	Function Name: NtIsSystemResumeAutomatic
Status: Not hooked

#: 096	Function Name: NtListenPort
Status: Not hooked

#: 097	Function Name: NtLoadDriver
Status: Not hooked

#: 098	Function Name: NtLoadKey
Status: Not hooked

#: 099	Function Name: NtLoadKey2
Status: Not hooked

#: 100	Function Name: NtLockFile
Status: Not hooked

#: 101	Function Name: NtLockProductActivationKeys
Status: Not hooked

#: 102	Function Name: NtLockRegistryKey
Status: Not hooked

#: 103	Function Name: NtLockVirtualMemory
Status: Not hooked

#: 104	Function Name: NtMakePermanentObject
Status: Not hooked

#: 105	Function Name: NtMakeTemporaryObject
Status: Not hooked

#: 106	Function Name: NtMapUserPhysicalPages
Status: Not hooked

#: 107	Function Name: NtMapUserPhysicalPagesScatter
Status: Not hooked

#: 108	Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x894ff6f0

#: 109	Function Name: NtModifyBootEntry
Status: Not hooked

#: 110	Function Name: NtNotifyChangeDirectoryFile
Status: Not hooked

#: 111	Function Name: NtNotifyChangeKey
Status: Not hooked

#: 112	Function Name: NtNotifyChangeMultipleKeys
Status: Not hooked

#: 113	Function Name: NtOpenDirectoryObject
Status: Not hooked

#: 114	Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x895a96d0

#: 115	Function Name: NtOpenEventPair
Status: Not hooked

#: 116	Function Name: NtOpenFile
Status: Not hooked

#: 117	Function Name: NtOpenIoCompletion
Status: Not hooked

#: 118	Function Name: NtOpenJobObject
Status: Not hooked

#: 119	Function Name: NtOpenKey
Status: Hooked by "spde.sys" at address 0xb9eb50c0

#: 120	Function Name: NtOpenMutant
Status: Not hooked

#: 121	Function Name: NtOpenObjectAuditAlarm
Status: Not hooked

#: 122	Function Name: NtOpenProcess
Status: Not hooked

#: 123	Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x896266d0

#: 124	Function Name: NtOpenProcessTokenEx
Status: Not hooked

#: 125	Function Name: NtOpenSection
Status: Not hooked

#: 126	Function Name: NtOpenSemaphore
Status: Not hooked

#: 127	Function Name: NtOpenSymbolicLinkObject
Status: Not hooked

#: 128	Function Name: NtOpenThread
Status: Not hooked

#: 129	Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x894f7700

#: 130	Function Name: NtOpenThreadTokenEx
Status: Not hooked

#: 131	Function Name: NtOpenTimer
Status: Not hooked

#: 132	Function Name: NtPlugPlayControl
Status: Not hooked

#: 133	Function Name: NtPowerInformation
Status: Not hooked

#: 134	Function Name: NtPrivilegeCheck
Status: Not hooked

#: 135	Function Name: NtPrivilegeObjectAuditAlarm
Status: Not hooked

#: 136	Function Name: NtPrivilegedServiceAuditAlarm
Status: Not hooked

#: 137	Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xba1ed840

#: 138	Function Name: NtPulseEvent
Status: Not hooked

#: 139	Function Name: NtQueryAttributesFile
Status: Not hooked

#: 140	Function Name: NtQueryBootEntryOrder
Status: Not hooked

#: 141	Function Name: NtQueryBootOptions
Status: Not hooked

#: 142	Function Name: NtQueryDebugFilterState
Status: Not hooked

#: 143	Function Name: NtQueryDefaultLocale
Status: Not hooked

#: 144	Function Name: NtQueryDefaultUILanguage
Status: Not hooked

#: 145	Function Name: NtQueryDirectoryFile
Status: Not hooked

#: 146	Function Name: NtQueryDirectoryObject
Status: Not hooked

#: 147	Function Name: NtQueryEaFile
Status: Not hooked

#: 148	Function Name: NtQueryEvent
Status: Not hooked

#: 149	Function Name: NtQueryFullAttributesFile
Status: Not hooked

#: 150	Function Name: NtQueryInformationAtom
Status: Not hooked

#: 151	Function Name: NtQueryInformationFile
Status: Not hooked

#: 152	Function Name: NtQueryInformationJobObject
Status: Not hooked

#: 153	Function Name: NtQueryInformationPort
Status: Not hooked

#: 154	Function Name: NtQueryInformationProcess
Status: Not hooked

#: 155	Function Name: NtQueryInformationThread
Status: Not hooked

#: 156	Function Name: NtQueryInformationToken
Status: Not hooked

#: 157	Function Name: NtQueryInstallUILanguage
Status: Not hooked

#: 158	Function Name: NtQueryIntervalProfile
Status: Not hooked

#: 159	Function Name: NtQueryIoCompletion
Status: Not hooked

#: 160	Function Name: NtQueryKey
Status: Hooked by "spde.sys" at address 0xb9ece20a

#: 161	Function Name: NtQueryMultipleValueKey
Status: Not hooked

#: 162	Function Name: NtQueryMutant
Status: Not hooked

#: 163	Function Name: NtQueryObject
Status: Not hooked

#: 164	Function Name: NtQueryOpenSubKeys
Status: Not hooked

#: 165	Function Name: NtQueryPerformanceCounter
Status: Not hooked

#: 166	Function Name: NtQueryQuotaInformationFile
Status: Not hooked

#: 167	Function Name: NtQuerySection
Status: Not hooked

#: 168	Function Name: NtQuerySecurityObject
Status: Not hooked

#: 169	Function Name: NtQuerySemaphore
Status: Not hooked

#: 170	Function Name: NtQuerySymbolicLinkObject
Status: Not hooked

#: 171	Function Name: NtQuerySystemEnvironmentValue
Status: Not hooked

#: 172	Function Name: NtQuerySystemEnvironmentValueEx
Status: Not hooked

#: 173	Function Name: NtQuerySystemInformation
Status: Not hooked

#: 174	Function Name: NtQuerySystemTime
Status: Not hooked

#: 175	Function Name: NtQueryTimer
Status: Not hooked

#: 176	Function Name: NtQueryTimerResolution
Status: Not hooked

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spde.sys" at address 0xb9ece08a

#: 178	Function Name: NtQueryVirtualMemory
Status: Not hooked

#: 179	Function Name: NtQueryVolumeInformationFile
Status: Not hooked

#: 180	Function Name: NtQueueApcThread
Status: Not hooked

#: 181	Function Name: NtRaiseException
Status: Not hooked

#: 182	Function Name: NtRaiseHardError
Status: Not hooked

#: 183	Function Name: NtReadFile
Status: Not hooked

#: 184	Function Name: NtReadFileScatter
Status: Not hooked

#: 185	Function Name: NtReadRequestData
Status: Not hooked

#: 186	Function Name: NtReadVirtualMemory
Status: Not hooked

#: 187	Function Name: NtRegisterThreadTerminatePort
Status: Not hooked

#: 188	Function Name: NtReleaseMutant
Status: Not hooked

#: 189	Function Name: NtReleaseSemaphore
Status: Not hooked

#: 190	Function Name: NtRemoveIoCompletion
Status: Not hooked

#: 191	Function Name: NtRemoveProcessDebug
Status: Not hooked

#: 192	Function Name: NtRenameKey
Status: Not hooked

#: 193	Function Name: NtReplaceKey
Status: Not hooked

#: 194	Function Name: NtReplyPort
Status: Not hooked

#: 195	Function Name: NtReplyWaitReceivePort
Status: Not hooked

#: 196	Function Name: NtReplyWaitReceivePortEx
Status: Not hooked

#: 197	Function Name: NtReplyWaitReplyPort
Status: Not hooked

#: 198	Function Name: NtRequestDeviceWakeup
Status: Not hooked

#: 199	Function Name: NtRequestPort
Status: Not hooked

#: 200	Function Name: NtRequestWaitReplyPort
Status: Not hooked

#: 201	Function Name: NtRequestWakeupLatency
Status: Not hooked

#: 202	Function Name: NtResetEvent
Status: Not hooked

#: 203	Function Name: NtResetWriteWatch
Status: Not hooked

#: 204	Function Name: NtRestoreKey
Status: Not hooked

#: 205	Function Name: NtResumeProcess
Status: Not hooked

#: 206	Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x895f16d0

#: 207	Function Name: NtSaveKey
Status: Not hooked

#: 208	Function Name: NtSaveKeyEx
Status: Not hooked

#: 209	Function Name: NtSaveMergedKeys
Status: Not hooked

#: 210	Function Name: NtSecureConnectPort
Status: Not hooked

#: 211	Function Name: NtSetBootEntryOrder
Status: Not hooked

#: 212	Function Name: NtSetBootOptions
Status: Not hooked

#: 213	Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x89be1d10

#: 214	Function Name: NtSetDebugFilterState
Status: Not hooked

#: 215	Function Name: NtSetDefaultHardErrorPort
Status: Not hooked

#: 216	Function Name: NtSetDefaultLocale
Status: Not hooked

#: 217	Function Name: NtSetDefaultUILanguage
Status: Not hooked

#: 218	Function Name: NtSetEaFile
Status: Not hooked

#: 219	Function Name: NtSetEvent
Status: Not hooked

#: 220	Function Name: NtSetEventBoostPriority
Status: Not hooked

#: 221	Function Name: NtSetHighEventPair
Status: Not hooked

#: 222	Function Name: NtSetHighWaitLowEventPair
Status: Not hooked

#: 223	Function Name: NtSetInformationDebugObject
Status: Not hooked

#: 224	Function Name: NtSetInformationFile
Status: Not hooked

#: 225	Function Name: NtSetInformationJobObject
Status: Not hooked

#: 226	Function Name: NtSetInformationKey
Status: Not hooked

#: 227	Function Name: NtSetInformationObject
Status: Not hooked

#: 228	Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x894fa700

#: 229	Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x894f2700

#: 230	Function Name: NtSetInformationToken
Status: Not hooked

#: 231	Function Name: NtSetIntervalProfile
Status: Not hooked

#: 232	Function Name: NtSetIoCompletion
Status: Not hooked

#: 233	Function Name: NtSetLdtEntries
Status: Not hooked

#: 234	Function Name: NtSetLowEventPair
Status: Not hooked

#: 235	Function Name: NtSetLowWaitHighEventPair
Status: Not hooked

#: 236	Function Name: NtSetQuotaInformationFile
Status: Not hooked

#: 237	Function Name: NtSetSecurityObject
Status: Not hooked

#: 238	Function Name: NtSetSystemEnvironmentValue
Status: Not hooked

#: 239	Function Name: NtSetSystemEnvironmentValueEx
Status: Not hooked

#: 240	Function Name: NtSetSystemInformation
Status: Not hooked

#: 241	Function Name: NtSetSystemPowerState
Status: Not hooked

#: 242	Function Name: NtSetSystemTime
Status: Not hooked

#: 243	Function Name: NtSetThreadExecutionState
Status: Not hooked

#: 244	Function Name: NtSetTimer
Status: Not hooked

#: 245	Function Name: NtSetTimerResolution
Status: Not hooked

#: 246	Function Name: NtSetUuidSeed
Status: Not hooked

#: 247	Function Name: NtSetValueKey
Status: Hooked by "spde.sys" at address 0xb9ece29c

#: 248	Function Name: NtSetVolumeInformationFile
Status: Not hooked

#: 249	Function Name: NtShutdownSystem
Status: Not hooked

#: 250	Function Name: NtSignalAndWaitForSingleObject
Status: Not hooked

#: 251	Function Name: NtStartProfile
Status: Not hooked

#: 252	Function Name: NtStopProfile
Status: Not hooked

#: 253	Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x895a66d0

#: 254	Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8a2ea118

#: 255	Function Name: NtSystemDebugControl
Status: Not hooked

#: 256	Function Name: NtTerminateJobObject
Status: Not hooked

#: 257	Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x895f36d0

#: 258	Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x895e86d0

#: 259	Function Name: NtTestAlert
Status: Not hooked

#: 260	Function Name: NtTraceEvent
Status: Not hooked

#: 261	Function Name: NtTranslateFilePath
Status: Not hooked

#: 262	Function Name: NtUnloadDriver
Status: Not hooked

#: 263	Function Name: NtUnloadKey
Status: Not hooked

#: 264	Function Name: NtUnloadKeyEx
Status: Not hooked

#: 265	Function Name: NtUnlockFile
Status: Not hooked

#: 266	Function Name: NtUnlockVirtualMemory
Status: Not hooked

#: 267	Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x89bf9d10

#: 268	Function Name: NtVdmControl
Status: Not hooked

#: 269	Function Name: NtWaitForDebugEvent
Status: Not hooked

#: 270	Function Name: NtWaitForMultipleObjects
Status: Not hooked

#: 271	Function Name: NtWaitForSingleObject
Status: Not hooked

#: 272	Function Name: NtWaitHighEventPair
Status: Not hooked

#: 273	Function Name: NtWaitLowEventPair
Status: Not hooked

#: 274	Function Name: NtWriteFile
Status: Not hooked

#: 275	Function Name: NtWriteFileGather
Status: Not hooked

#: 276	Function Name: NtWriteRequestData
Status: Not hooked

#: 277	Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x89505700

#: 278	Function Name: NtYieldExecution
Status: Not hooked

#: 279	Function Name: NtCreateKeyedEvent
Status: Not hooked

#: 280	Function Name: NtOpenKeyedEvent
Status: Not hooked

#: 281	Function Name: NtReleaseKeyedEvent
Status: Not hooked

#: 282	Function Name: NtWaitForKeyedEvent
Status: Not hooked

#: 283	Function Name: NtQueryPortInformationProcess
Status: Not hooked

No highlights from the stealth objects scan. Sorry for all these logs, I am fairly paranoid and desperate now, and I am ready to reformat the HD.

[edit 2.11.09]
I ran GMER. Below is the output log.
GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-02 16:56:57
Windows 5.1.2600 Service Pack 3
Running: 2w38ztd8.exe; Driver: C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\uwrdauob.sys


---- System - GMER 1.0.15 ----

SSDT			894FE6D0																											  ZwAlertResumeThread
SSDT			895016D0																											  ZwAlertThread
SSDT			89509700																											  ZwAllocateVirtualMemory
SSDT			895A76F0																											  ZwConnectPort
SSDT			sphu.sys																											  ZwCreateKey [0xB9EB50E0]
SSDT			894E3700																											  ZwCreateMutant
SSDT			88A8A1F0																											  ZwCreateThread
SSDT			sphu.sys																											  ZwEnumerateKey [0xB9ECDDA4]
SSDT			sphu.sys																											  ZwEnumerateValueKey [0xB9ECE132]
SSDT			89503700																											  ZwFreeVirtualMemory
SSDT			894F96D0																											  ZwImpersonateAnonymousToken
SSDT			894FC6D0																											  ZwImpersonateThread
SSDT			895006F0																											  ZwMapViewOfSection
SSDT			894F66D0																											  ZwOpenEvent
SSDT			sphu.sys																											  ZwOpenKey [0xB9EB50C0]
SSDT			88BC4E10																											  ZwOpenProcessToken
SSDT			894F8700																											  ZwOpenThreadToken
SSDT			\??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)						 ZwProtectVirtualMemory [0xBA1ED840]
SSDT			sphu.sys																											  ZwQueryKey [0xB9ECE20A]
SSDT			sphu.sys																											  ZwQueryValueKey [0xB9ECE08A]
SSDT			89588710																											  ZwResumeThread
SSDT			8950A6D0																											  ZwSetContextThread
SSDT			894FB700																											  ZwSetInformationProcess
SSDT			894F3700																											  ZwSetInformationThread
SSDT			sphu.sys																											  ZwSetValueKey [0xB9ECE29C]
SSDT			894F46D0																											  ZwSuspendProcess
SSDT			895046D0																											  ZwSuspendThread
SSDT			88EC97F8																											  ZwTerminateProcess
SSDT			895076D0																											  ZwTerminateThread
SSDT			8950C6D0																											  ZwUnmapViewOfSection
SSDT			89506700																											  ZwWriteVirtualMemory

INT 0x73		?																													 8A4C7BF8
INT 0xA4		?																													 8A40BBF8
INT 0xB1		?																													 8A4C7BF8
INT 0xB1		?																													 8A4C7BF8
INT 0xB4		?																													 8A40BBF8

---- Kernel code sections - GMER 1.0.15 ----

.text		   ntkrnlpa.exe!ZwCallbackReturn + 2C40																				  805044DC 2 Bytes  [F0, 76]
?			   sphu.sys																											  The system cannot find the file specified. !
.text		   USBPORT.SYS!DllUnload																								 B96328AC 5 Bytes  JMP 8A40B1D8 
.text		   atox1crd.SYS																										  B9489386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text		   atox1crd.SYS																										  B94893AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text		   atox1crd.SYS																										  B94893C4 3 Bytes  [00, 70, 02] {ADD [EAX+0x2], DH}
.text		   atox1crd.SYS																										  B94893C9 1 Byte  [2E]
.text		   atox1crd.SYS																										  B94893C9 11 Bytes  [2E, 00, 00, 00, 5A, 02, 00, ...]
.text		   ...																												   
.text		   ac4yv4ec.SYS																										  B9450386 35 Bytes  [00, 00, 00, 00, 00, 00, 20, ...]
.text		   ac4yv4ec.SYS																										  B94503AA 24 Bytes  [00, 00, 00, 00, 00, 00, 00, ...]
.text		   ac4yv4ec.SYS																										  B94503C4 3 Bytes  [00, 80, 02]
.text		   ac4yv4ec.SYS																										  B94503C9 1 Byte  [30]
.text		   ac4yv4ec.SYS																										  B94503C9 11 Bytes  [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text		   ...																												   
?			   C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS																		   The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT			 atapi.sys[HAL.dll!READ_PORT_UCHAR]																					[B9EB6042] sphu.sys
IAT			 atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT]																			[B9EB613E] sphu.sys
IAT			 atapi.sys[HAL.dll!READ_PORT_USHORT]																				   [B9EB60C0] sphu.sys
IAT			 atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT]																		   [B9EB6800] sphu.sys
IAT			 atapi.sys[HAL.dll!WRITE_PORT_UCHAR]																				   [B9EB66D6] sphu.sys
IAT			 \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR]													[B9EC5B90] sphu.sys
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfAcquireSpinLock]												  CCCCCCC3
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_UCHAR]													CCCCCCCC
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KeGetCurrentIrql]												   CCCCCCCC
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfRaiseIrql]														CCCCCCCC
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfLowerIrql]														8BEC8B55
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!HalGetInterruptVector]											  00C73445
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!HalTranslateBusAddress]											 00000000
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KeStallExecutionProcessor]										  830C458B
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfReleaseSpinLock]												  C0840CEC
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]											053C0D74
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_USHORT]												   57B80974
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]										   8B000000
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!WRITE_PORT_UCHAR]												   56C35DE5
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[WMILIB.SYS!WmiSystemControl]												8D51FC4D
IAT			 \SystemRoot\System32\Drivers\atox1crd.SYS[WMILIB.SYS!WmiCompleteRequest]											  8D52FD55
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfAcquireSpinLock]												  18C4830E
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_UCHAR]													1C959E88
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KeGetCurrentIrql]												   9E880000
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfRaiseIrql]														00001CB1
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfLowerIrql]														0E798366
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!HalGetInterruptVector]											  74AAB000
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!HalTranslateBusAddress]											 8986C636
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KeStallExecutionProcessor]										  1A00001C
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfReleaseSpinLock]												  1C8B86C6
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_BUFFER_USHORT]											C6020000
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_USHORT]												   001C9686
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT]										   86C60200
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!WRITE_PORT_UCHAR]												   00001CB2
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[WMILIB.SYS!WmiSystemControl]												8800001C
IAT			 \SystemRoot\System32\Drivers\ac4yv4ec.SYS[WMILIB.SYS!WmiCompleteRequest]											  001CB99E

---- Devices - GMER 1.0.15 ----

Device																																8A4521F8
Device																																Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device		  \Driver\Tcpip \Device\Ip																							  wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice  \Driver\Tcpip \Device\Ip																							  SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device		  \Driver\sptd \Device\3247559906																					   sphu.sys
Device		  \Driver\usbohci \Device\USBPDO-0																					  8A2EA500
Device		  \Driver\usbehci \Device\USBPDO-1																					  8A4091F8
Device		  \Driver\sptd \Device\3247716156																					   sphu.sys
Device		  \Driver\PCI_PNP8656 \Device\00000054																				  sphu.sys
Device		  \Driver\PCI_PNP8656 \Device\00000055																				  sphu.sys
Device		  \Driver\NetBT \Device\NetBT_Tcpip_{0966F872-6675-4638-ABE3-618858EBB6B0}											  88BF2500
Device		  \Driver\Tcpip \Device\Tcp																							 wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice  \Driver\Tcpip \Device\Tcp																							 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device		  \Driver\Ftdisk \Device\HarddiskVolume1																				8A4C51F8
Device		  \Driver\Ftdisk \Device\HarddiskVolume2																				8A4C51F8
Device		  \Driver\Cdrom \Device\CdRom0																						  8A2961F8
Device		  \Driver\Cdrom \Device\CdRom1																						  8A2961F8
Device		  \Driver\atapi \Device\Ide\IdePort0																					[B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device		  \Driver\atapi \Device\Ide\IdePort1																					[B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device		  \Driver\Cdrom \Device\CdRom2																						  8A2961F8
Device		  \Driver\NetBT \Device\NetBt_Wins_Export																			   88BF2500
Device		  \Driver\NetBT \Device\NetbiosSmb																					  88BF2500
Device		  \Driver\Tcpip \Device\Udp																							 wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice  \Driver\Tcpip \Device\Udp																							 SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device		  \Driver\Tcpip \Device\RawIp																						   wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)

AttachedDevice  \Driver\Tcpip \Device\RawIp																						   SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device		  \Driver\usbohci \Device\USBFDO-0																					  8A2EA500
Device		  \Driver\usbehci \Device\USBFDO-1																					  8A4091F8
Device		  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver																	 88E9A500
Device		  \Driver\Tcpip \Device\IPMULTICAST																					 wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
Device																																88E9A500
Device		  \Driver\Ftdisk \Device\FtControl																					  8A4C51F8
Device		  \Driver\ac4yv4ec \Device\Scsi\ac4yv4ec1Port4Path0Target0Lun0														  8A288500
Device		  \Driver\nvgts \Device\Scsi\nvgts2Port3Path1Target1Lun0																8A4C41F8
Device		  \Driver\nvgts \Device\Scsi\nvgts1Port2Path0Target0Lun0																8A4C41F8
Device		  \Driver\atox1crd \Device\Scsi\atox1crd1																			   8A28D500
Device		  \Driver\atox1crd \Device\Scsi\atox1crd1Port5Path0Target0Lun0														  8A28D500
Device		  \Driver\nvgts \Device\Scsi\nvgts1																					 8A4C41F8
Device		  \Driver\nvgts \Device\Scsi\nvgts2																					 8A4C41F8
Device		  \Driver\ac4yv4ec \Device\Scsi\ac4yv4ec1																			   8A288500
Device																																88A6F500
Device																																Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1																	771343423
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2																	285507792
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0																	3
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04									  
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0								   C:\Alcohol Soft\Alcohol 120\
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0								   2
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew								0x53 0xD6 0x22 0x5B ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001							 
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0						  0x20 0x01 0x00 0x00 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew					   0x7E 0x66 0x73 0x82 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40					  
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew				0xAA 0x91 0x5D 0x33 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC									  
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0								   0
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12								0x20 0x3D 0x12 0x6E ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0								   0xD4 0xC3 0x97 0x02 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0								   C:\DAEMON Tools Lite\
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001							 
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0						  0x20 0x01 0x00 0x00 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12					   0xCC 0x3C 0x8A 0xE5 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0						
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12				  0xBB 0xF9 0xB1 0x48 ...
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4									  
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0								   1
Reg			 HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh								0x9E 0x17 0x3A 0x8C ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)				  
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0									   C:\Alcohol Soft\Alcohol 120\
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0									   2
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew									0x53 0xD6 0x22 0x5B ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet)		 
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0							  0x20 0x01 0x00 0x00 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew						   0x7E 0x66 0x73 0x82 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet)  
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew					0x6F 0xCF 0x15 0x03 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)				  
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0									   0
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12									0x20 0x3D 0x12 0x6E ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0									   0xD4 0xC3 0x97 0x02 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0									   C:\DAEMON Tools Lite\
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)		 
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0							  0x20 0x01 0x00 0x00 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12						   0xCC 0x3C 0x8A 0xE5 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)	
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12					  0xBB 0xF9 0xB1 0x48 ...
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)				  
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0									   1
Reg			 HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh									0x9E 0x17 0x3A 0x8C ...

---- EOF - GMER 1.0.15 ----

Then I ran ComboFix....
ComboFix 09-11-01.04 - Window User 11/02/2009 17:06.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2603 [GMT -5:00]
Running from: c:\download\fix\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe

Infected copy of c:\windows\System32\DRIVERS\nvgts.sys was found and disinfected
Restored copy from - Kitty ate it :P
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2009-11-02 22:04 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-02 22:04 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-02 22:04 . 2006-08-21 18:24 105344 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- c:\documents and settings\Window User\Application Data\Malwarebytes
2009-11-02 06:27 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 06:27 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 02:57 . 2009-11-02 02:57 -------- d-----w- C:\Trend Micro
2009-11-02 02:13 . 2009-11-02 02:13 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-02 02:03 . 2009-11-02 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-02 01:44 . 2009-11-02 03:12 -------- d-----w- C:\Spybot - Search & Destroy
2009-11-02 01:44 . 2009-11-02 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 23:54 . 2009-11-01 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-01 23:54 . 2009-11-02 01:12 -------- d-----w- c:\documents and settings\Window User\Application Data\SUPERAntiSpyware.com
2009-11-01 23:54 . 2009-11-02 01:12 -------- d-----w- C:\SUPERAntiSpyware
2009-11-01 23:41 . 2009-11-01 23:41 -------- d-----w- C:\RootkitNO
2009-11-01 22:19 . 2009-11-01 22:19 2 --shatr- c:\windows\winstart.bat
2009-11-01 22:19 . 2009-11-02 00:34 -------- d-----w- C:\UnHackMe
2009-11-01 21:37 . 2009-11-01 21:37 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-01 21:37 . 2009-11-01 21:54 -------- d-----w- C:\DAEMON Tools Lite
2009-11-01 21:37 . 2009-11-01 21:37 -------- d-----w- C:\Any Video Converter Professional
2009-11-01 05:35 . 2009-11-01 05:35 -------- d-----w- c:\documents and settings\Window User\Local Settings\Application Data\Aspyr
2009-11-01 05:02 . 2009-11-01 05:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-01 04:50 . 2009-11-02 00:30 -------- d-----w- c:\program files\WinDefender32
2009-10-31 05:06 . 2009-10-31 05:06 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-10-31 05:06 . 2009-11-02 00:55 -------- d-----w- C:\Codemasters
2009-10-21 07:04 . 2009-10-14 05:37 315392 ----a-w- c:\windows\system32\TubeFinder.exe
2009-10-21 07:04 . 2009-10-21 07:14 -------- d-----w- c:\documents and settings\Window User\Application Data\FreeFLVConverter
2009-10-21 07:04 . 2009-10-21 07:04 -------- d-----w- C:\Free FLV Converter
2009-10-21 07:04 . 2009-06-19 23:51 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-10-19 09:19 . 2009-10-19 09:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-05 06:19 . 2009-10-05 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-05 06:18 . 2009-10-05 06:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-05 06:18 . 2008-04-07 09:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-10-05 06:18 . 2008-04-07 09:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 06:26 . 2009-02-12 11:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 06:26 . 2009-06-28 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2009-11-01 22:20 . 2009-03-24 18:37 -------- d-----w- c:\documents and settings\Window User\Application Data\DAEMON Tools Lite
2009-11-01 21:52 . 2009-02-12 15:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-01 21:52 . 2009-03-24 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-01 21:34 . 2009-11-01 21:28 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-01 11:18 . 2009-07-04 11:24 1103040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-31 05:33 . 2009-02-13 22:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 17:13 . 2009-06-28 17:44 -------- d-----w- c:\documents and settings\Window User\Application Data\EndNote
2009-10-08 19:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2003-03-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2003-03-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 09:29 . 2009-02-12 12:20 31312 ----a-w- c:\documents and settings\Window User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 06:35 . 2009-09-10 05:11 -------- d-----w- c:\program files\Nitro PDF
2009-10-05 06:18 . 2009-02-12 19:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 06:54 . 2009-10-02 06:54 -------- d-----w- c:\program files\ieSpell
2009-10-01 17:10 . 2009-09-10 05:12 -------- d-----w- c:\documents and settings\Window User\Application Data\PrimoPDF
2009-09-29 10:18 . 2009-09-29 10:13 -------- d-----w- c:\documents and settings\Window User\Application Data\Any Video Converter Professional
2009-09-22 11:09 . 2009-03-08 05:01 -------- d-----w- c:\program files\Brother
2009-09-20 08:22 . 2009-02-12 11:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 05:44 . 2009-09-19 05:44 -------- d-----w- c:\documents and settings\Window User\Application Data\Eltima Software
2009-09-18 04:22 . 2009-09-18 04:22 -------- d-----w- c:\documents and settings\Window User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-18 03:41 . 2009-09-18 03:41 -------- d-----w- c:\documents and settings\Window User\Application Data\Reallusion
2009-09-18 03:35 . 2009-03-08 05:03 34 ----a-w- c:\windows\system32\BD2040.DAT
2009-09-18 03:29 . 2009-09-18 03:29 50 ----a-w- c:\windows\system32\bridf07a.dat
2009-09-18 03:27 . 2009-09-18 03:27 -------- d-----w- c:\program files\Nuance
2009-09-18 03:27 . 2009-09-18 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-18 03:27 . 2009-09-18 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-18 03:26 . 2009-02-12 11:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\program files\ScanSoft
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-17 02:40 . 2009-09-17 02:40 -------- d-----w- c:\documents and settings\Window User\Application Data\adma
2009-09-16 07:12 . 2009-05-04 12:05 -------- d-----w- c:\documents and settings\Window User\Application Data\mIRC
2009-09-12 10:01 . 2009-03-24 16:56 -------- d-----w- c:\documents and settings\Window User\Application Data\NewsLeecher
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 03:15 . 2009-09-09 03:15 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-06 08:11 . 2009-09-06 07:36 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-09-06 08:11 . 2009-09-06 07:36 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:12 . 2009-09-04 20:12 -------- d-----w- c:\program files\Atari
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
.

------- Sigcheck -------

[-] 2009-02-15 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-02-15 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
[-] 2006-04-20 . B8158E2A6112C0A5CA67BC158FC70218 . 340480 . . [5.1.2600.1831] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AlcoholAutomount"="c:\alcohol soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"RivaTunerStartupDaemon"="c:\rivatuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"RemoteControl"="c:\cyberlink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LanguageShortcut"="c:\cyberlink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"EVGAPrecision"="c:\evga precision\EVGAPrecision.exe" [2008-12-22 240656]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-26 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-23 198160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

c:\documents and settings\Window User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Codemasters\\Rise of the Argonauts\\Binaries\\RiseOfTheArgonauts.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 9:29 PM 102448]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/12/2009 7:06 AM 1684736]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/26/2009 11:22 AM 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\Window User\Application Data\Mozilla\Firefox\Profiles\115u7vry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 17:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4C31F8]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\cyberlink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:1c,b5,1f,2a,35,c7,dd,bc,60,99,29,30,10,52,c6,33,80,a3,63,ab,59,
83,01,34,99,9f,a2,de,9c,75,c9,4e,35,87,76,2d,09,ba,12,14,a9,88,f7,c2,50,96,\
"rkeysecu"=hex:5e,06,95,84,54,bc,ea,5e,7b,64,dd,0b,25,98,e8,2b
.
Completion time: 2009-11-02 17:11
ComboFix-quarantined-files.txt 2009-11-02 22:11

Pre-Run: 332,230,701,056 bytes free
Post-Run: 332,812,492,800 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - F2355E43F9553E1E2BA9D4F7C71F7674

Edited by LDTate, 05 November 2009 - 04:17 PM.

    Advertisements

Register to Remove


#2 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 07 November 2009 - 05:17 AM

Hi,

Please do the following:

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.

    Posted Image
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#3 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,060 posts
  • MVP

Posted 12 November 2009 - 05:14 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users